On Thu, Sep 9, 2010 at 8:39 AM, Charles Mills <charl...@mcn.org> wrote:
> Yeah, it's documented "bottom-up" and in the wrong place. APF is not an > "authorized assembler service." APF authorization is in the realm of > operations and security, not assembler programming. Sure, it impacts > assembler programs and programmers, but it also impacts COBOL and Rexx > programs. Catalog management affects assembler programs, but it's not > documented with the GET macro. > what little documentation there is is older than Methuselah's tomcat and you have to be schooled in interpreting the arcane way things are described. Be thankful for what exists. > "APF is a facility for identifying certain load libraries to z/OS. If an > executable program is (1) stored in an APF-authorized library and (2) > link-edited with AC(1) then it is said to be "APF-authorized." > Keep in mind that APF authorization is an attribute of a running job step. A job step becomes APF authorized if and only if the job step program is linked AC(1) *and* is loaded from a dataset in the APF list. If the job step is APF authorized then the job step task and all of its subtasks are considered "authorized". Otherwise none of the tasks are authorized. > As an untrusted programmer can freely link edit or bind a program with > AC(1), an installation can only protect these privileged facilities by > using > RACF or another security subsystem to control the ability to store programs > into APF-authorized libraries, and also the ability to APF-authorize a load > library." > True. One point to note is that the AC attribute has no effect whatsoever on programs that are not job step programs, but I'd like a dollar for every loadlibrary that has AC(1) sprayed around like confetti. -- This email might be from the artist formerly known as CC (or not) You be the judge. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
